Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. In a computer system, a method comprising: receiving network flow information; in a first workflow, identifying one-hop network behavior of at least some of a set of network assets based on a first evaluation of the network flow information, wherein each network asset of the set of network assets is a network node or service, and wherein, for a given network asset among the set of network assets, the one-hop network behavior indicates patterns of communication to and/or from the given network asset individually; in a second workflow, identifying multi-hop network dependencies between at least some of the set of network assets based on a second evaluation of the network flow information, wherein the multi-hop network dependencies indicate patterns of communication between combinations of network assets among the set of network assets; and outputting results of the identifying the one-hop network behavior and/or results of the identifying the multi-hop network dependencies.
This invention relates to network monitoring and analysis, specifically for identifying communication patterns and dependencies within a computer network. The problem addressed is the need to understand both direct (one-hop) and indirect (multi-hop) interactions between network assets, such as nodes or services, to improve security, troubleshooting, and performance optimization. The method involves receiving network flow information, which captures data about network traffic. In a first workflow, the system analyzes this data to identify one-hop network behavior for individual assets. This behavior reflects direct communication patterns to and from each asset, such as which other assets it interacts with immediately. In a second workflow, the system evaluates the same network flow data to detect multi-hop dependencies, which reveal indirect communication paths and relationships between multiple assets. These dependencies show how assets influence or interact with each other over multiple hops, providing a broader view of network interactions. The results of both workflows are then output, enabling users to visualize or further analyze the network's communication structure. This dual-analysis approach helps in detecting anomalies, optimizing network performance, and identifying critical dependencies that could impact security or reliability. The invention improves upon traditional monitoring by combining direct and indirect network behavior analysis in a structured workflow.
2. The method of claim 1 , wherein the one-hop network behavior for the given network asset summarizes outgoing communications from the given network asset and/or incoming communications to the given network asset.
This invention relates to network security and monitoring, specifically to analyzing network behavior for threat detection. The problem addressed is the need to accurately assess the communication patterns of network assets to identify potential security threats or anomalies. The invention provides a method for summarizing one-hop network behavior of a given network asset, which involves tracking and analyzing both outgoing and incoming communications associated with that asset. By summarizing these communications, the system can detect unusual or suspicious activity that may indicate a security breach or malicious behavior. The method helps security analysts and automated systems quickly identify deviations from normal network behavior, enabling faster response to potential threats. The summarized data can be used for real-time monitoring, forensic analysis, or compliance reporting. The approach improves upon traditional network monitoring by focusing on direct (one-hop) connections, reducing noise from indirect or multi-hop communications and providing a clearer picture of an asset's immediate network interactions. This allows for more precise threat detection and reduces false positives in security alerts. The invention is particularly useful in enterprise networks, cloud environments, and other large-scale systems where monitoring individual asset behavior is critical for maintaining security.
3. The method of claim 1 , further comprising, as part of the first workflow: pre-processing the network flow information to produce records of network flow information; for each of the records, mapping the record to a nested set of tags; using association rule learning to extract frequent item sets from the nested sets of tags for the records, wherein the association rule learning is machine learning that identifies frequently-occurring sets of tags; determining the one-hop network behavior based on the frequent item sets.
This invention relates to network traffic analysis, specifically a method for identifying one-hop network behavior by analyzing network flow information. The problem addressed is the difficulty in detecting and understanding network behavior patterns, particularly those involving intermediate nodes (one-hop neighbors) in a network. The method involves pre-processing network flow information to generate structured records. Each record is then mapped to a nested set of tags, which represent various attributes or characteristics of the network flow. Association rule learning, a machine learning technique, is applied to these nested tag sets to identify frequent item sets—groups of tags that commonly appear together across multiple records. These frequent item sets are used to determine the one-hop network behavior, revealing patterns in how network traffic interacts with neighboring nodes. The method enhances network monitoring by automating the detection of recurring traffic patterns, which can indicate normal behavior, potential security threats, or performance issues. By leveraging machine learning, it reduces the need for manual analysis and improves the accuracy of network behavior classification. The approach is particularly useful in large-scale networks where manual inspection is impractical.
4. The method of claim 3 , wherein the pre-processing includes one or more of: selectively converting unidirectional flow information, in the network flow information, to bidirectional flow information; windowing the network flow information using a time interval; and/or annotating the records with details about the network flow information.
This invention relates to network flow data processing, specifically improving the handling of network traffic information for analysis. The method addresses challenges in managing raw network flow data, which often lacks structure or context, making it difficult to analyze for security, performance, or traffic pattern detection. The method pre-processes network flow information to enhance its usability. This includes converting unidirectional flow data into bidirectional flow information, allowing for more comprehensive traffic analysis by capturing both directions of communication. Additionally, the method applies time-based windowing to segment the data into manageable intervals, improving temporal analysis. Records are also annotated with metadata, such as source/destination details, protocol types, or traffic characteristics, to provide additional context. The pre-processing steps ensure that the network flow data is standardized, enriched, and structured for downstream applications like anomaly detection, traffic monitoring, or capacity planning. By transforming raw flow records into a more analyzable format, the method enables more accurate and efficient network analysis. The approach is particularly useful in environments where network traffic varies dynamically, requiring adaptive processing to maintain data integrity and relevance.
5. The method of claim 3 , wherein, for a given record of the records, the mapping includes applying a function to attributes of the given record to determine the nested set of tags for the given record.
This invention relates to a method for organizing and retrieving data records using a hierarchical tagging system. The method addresses the challenge of efficiently categorizing and searching large datasets by dynamically assigning nested sets of tags to each record based on its attributes. The system processes records by applying a function to their attributes, which generates a structured hierarchy of tags for each record. These tags are organized in a nested format, allowing for multi-level categorization and improved searchability. The method ensures that records are tagged in a consistent and automated manner, reducing manual effort and enhancing data organization. The nested tag structure enables users to navigate through the data by drilling down through hierarchical levels, making it easier to locate specific records or groups of records. This approach is particularly useful in applications requiring complex data categorization, such as document management systems, database indexing, or knowledge management platforms. The dynamic tagging function can be customized to suit different datasets and use cases, providing flexibility in how records are classified. The method improves data retrieval efficiency by allowing users to filter records based on multiple tag levels, reducing the time and effort required to find relevant information.
6. The method of claim 5 , wherein the attributes include source address, source port, destination address, destination port and protocol, wherein the source address is a network source address or logical source address, and wherein the destination address is a network destination address or logical destination address.
This invention relates to network traffic analysis and filtering, specifically improving the identification and handling of network packets based on their attributes. The problem addressed is the need for more precise and flexible packet classification, particularly in scenarios where network addresses or ports may be dynamically assigned or logically mapped, such as in virtualized or overlay networks. The method involves analyzing network packets by extracting and evaluating specific attributes, including the source address, source port, destination address, destination port, and protocol. The source and destination addresses can be either network-level addresses (e.g., IP addresses) or logical addresses (e.g., virtual or overlay network addresses). Similarly, the source and destination ports can be network-level ports (e.g., TCP/UDP ports) or logical ports assigned in virtualized environments. By considering these attributes, the method enables more accurate packet classification, filtering, and routing, particularly in complex network architectures where traditional address-based filtering may be insufficient. This approach allows for finer-grained control over network traffic, supporting use cases such as virtual network segmentation, policy enforcement, and security monitoring. The method ensures that packets are processed based on their actual or logical endpoints, improving reliability in dynamic or virtualized network environments.
7. The method of claim 5 , wherein, for a given attribute of the attributes, the function ignores the given attribute or applies a wildcard to permit any value for the given attribute.
This invention relates to data processing systems that filter or query datasets based on attribute values. The problem addressed is the need for flexible attribute matching in data queries, where strict equality checks may be too restrictive or overly specific. The solution involves a method that processes a dataset by applying a function to filter or query the data based on specified attributes. For any given attribute, the function can either ignore the attribute entirely or apply a wildcard to permit any value for that attribute. This allows for more flexible and dynamic data filtering, where certain attributes can be treated as optional or non-restrictive. The method can be used in database queries, data analysis, or any system requiring attribute-based filtering. The function may be part of a larger data processing pipeline, where it interacts with other components to refine or transform the dataset. The wildcard or ignore functionality enables users to broaden their queries when exact attribute values are unknown or irrelevant, improving the usability and adaptability of the system.
8. The method of claim 5 , wherein, for a given attribute of the attributes, the function produces a hierarchy of tags that characterize the given attribute.
This invention relates to data processing systems that organize and categorize information using hierarchical tag structures. The problem addressed is the need for efficient and scalable methods to generate meaningful hierarchical tags from attributes in large datasets, enabling better data retrieval, analysis, and management. The method involves processing a dataset containing multiple attributes, where each attribute represents a distinct characteristic or feature of the data. For each attribute, a function is applied to generate a hierarchy of tags. These tags are organized in a structured, multi-level format, where higher-level tags represent broader categories and lower-level tags provide more specific subcategories. The hierarchy allows users to navigate and filter data based on varying levels of granularity. The function used to produce the hierarchy may involve techniques such as clustering, classification, or semantic analysis to group related tags and establish parent-child relationships. The resulting hierarchical structure improves data organization by reducing redundancy and enhancing searchability. This approach is particularly useful in applications like content management, database indexing, and knowledge graph construction, where structured tagging facilitates efficient data access and retrieval. The method ensures that the generated tags are both relevant and scalable, adapting to the complexity and volume of the dataset.
9. The method of claim 3 , wherein the using association rule learning includes, for a given item set in the nested sets of tags for the records: determining support of the given item set; and comparing the support of the given item set to a threshold.
This invention relates to a method for analyzing nested sets of tags associated with records, particularly in the context of data mining or information retrieval. The method addresses the challenge of efficiently identifying meaningful patterns or relationships within hierarchical or nested tag structures, which are common in databases where records are categorized using multiple layers of metadata. The method employs association rule learning to process nested sets of tags. For a given item set within these nested tag structures, the method calculates the support of the item set, which measures how frequently the item set appears across the records. The support value is then compared to a predefined threshold to determine whether the item set is significant or relevant. This step helps filter out less meaningful or infrequent tag combinations, improving the efficiency and accuracy of pattern discovery. The method may also involve preprocessing the nested tag structures to extract or transform the data into a format suitable for association rule learning. This could include flattening the nested hierarchy or applying normalization techniques to ensure consistency in the tag representations. The association rule learning process may further include additional steps such as generating candidate item sets, pruning infrequent sets, and deriving association rules based on the support and confidence metrics. By applying these techniques, the method enables the extraction of valuable insights from complex, nested tag structures, which can be used for applications such as recommendation systems, content categorization, or knowledge discovery in large datasets.
10. The method of claim 9 , wherein the threshold is a user-specified threshold.
A system and method for adaptive threshold-based data processing involves dynamically adjusting a threshold value to control the behavior of a data processing operation. The threshold determines whether a specific condition is met during processing, influencing subsequent actions such as filtering, classification, or decision-making. The threshold can be set to a user-specified value, allowing customization based on application requirements. This approach enhances flexibility and precision in data analysis, enabling users to fine-tune performance according to their needs. The method may include monitoring input data, comparing it against the threshold, and triggering predefined responses when the threshold is exceeded or not met. By allowing user-defined thresholds, the system accommodates varying operational contexts, improving adaptability in real-time or batch processing scenarios. The technique is applicable in fields such as signal processing, quality control, and automated decision systems where precise control over processing parameters is essential. The user-specified threshold ensures alignment with specific performance criteria, reducing the need for manual adjustments and improving efficiency.
11. The method of claim 3 , wherein the determining the one-hop network behavior includes identifying, among the set of network assets, subsets of network assets having similar network behavior based on a measure of similarity or dissimilarity between pairs of the frequent item sets.
This invention relates to network security and behavior analysis, specifically to identifying and analyzing network behavior patterns to detect anomalies or malicious activity. The problem addressed is the challenge of efficiently detecting abnormal or malicious network behavior in large, complex networks by leveraging frequent item sets and similarity measures. The method involves analyzing network traffic to identify frequent item sets, which are patterns or sequences of network events or communications that occur repeatedly. These item sets are used to determine the behavior of network assets, such as devices or nodes, by comparing their traffic patterns. The method further includes determining one-hop network behavior, which involves identifying subsets of network assets that exhibit similar or dissimilar behavior based on a measure of similarity or dissimilarity between the frequent item sets. This allows for the detection of anomalous or malicious behavior by comparing the behavior of individual assets to the behavior of their peers or neighbors in the network. The similarity or dissimilarity measure can be based on statistical or machine learning techniques, such as clustering or distance metrics, to quantify how closely related the behavior of different assets is. By grouping assets with similar behavior, the method can identify deviations or outliers that may indicate security threats or operational issues. This approach improves the accuracy and efficiency of network monitoring and intrusion detection systems.
12. The method of claim 11 , wherein the measure of similarity or dissimilarity: employs a scaling parameter to adjust significance of support values; quantifies deviation between the frequent item sets; or allows partial matching of item sets.
This invention relates to data analysis techniques for comparing frequent item sets, which are groups of items that frequently co-occur in a dataset. The problem addressed is the need for flexible and accurate methods to measure similarity or dissimilarity between such item sets, which is crucial for tasks like pattern mining, recommendation systems, and anomaly detection. The method involves calculating a measure of similarity or dissimilarity between frequent item sets, with enhancements to improve its adaptability. A scaling parameter is used to adjust the significance of support values, which represent how often an item set appears in the data. This allows users to emphasize or de-emphasize the importance of support in the comparison. The method also quantifies the deviation between item sets, providing a numerical measure of how different they are. Additionally, it supports partial matching, meaning that even if item sets are not identical, their overlapping or partially matching components can still be compared effectively. These features make the method more robust and versatile for real-world applications where data may be noisy or incomplete.
13. The method of claim 1 , further comprising, as part of the second workflow: pre-processing the network flow information to produce input vectors; using deep learning to extract patterns in the input vectors, wherein the deep learning is machine learning that models high-level abstractions in the input vectors; and determining the multi-hop network dependencies based on the patterns.
This invention relates to network analysis using machine learning to identify multi-hop network dependencies. The problem addressed is the difficulty in detecting complex, indirect relationships between network nodes that span multiple hops, which traditional methods struggle to uncover. The solution involves a method that processes network flow information to extract meaningful patterns and infer dependencies that are not directly observable. The method begins by pre-processing network flow data to generate structured input vectors, which represent the raw network traffic in a format suitable for machine learning analysis. These vectors are then analyzed using deep learning techniques, which are a subset of machine learning capable of modeling high-level abstractions in the data. The deep learning model identifies hidden patterns and correlations within the input vectors, which are used to determine multi-hop network dependencies. These dependencies represent indirect relationships between network nodes that are not directly connected but influence each other through intermediate nodes. The approach improves upon prior methods by leveraging advanced machine learning to uncover subtle, multi-step relationships in network traffic, enabling better network monitoring, troubleshooting, and optimization. The use of deep learning allows for the detection of dependencies that would otherwise require manual analysis or remain undetected. This method is particularly useful in large, complex networks where traditional analysis techniques are insufficient.
14. The method of claim 1 , further comprising, as part of the second workflow: pre-processing the network flow information to produce time series of information for flow aggregates; calculating cross-correlation coefficients between the time series; and determining the multi-hop network dependencies based on the cross-correlation coefficients.
This invention relates to network traffic analysis, specifically identifying multi-hop dependencies in network flows. The problem addressed is the difficulty in detecting indirect relationships between network nodes that are not directly connected but influence each other through intermediate hops. Traditional methods often fail to capture these dependencies, leading to incomplete network insights. The method involves analyzing network flow information to extract time-series data for flow aggregates, which represent groups of related network traffic. These time-series datasets are then processed to compute cross-correlation coefficients, which measure the statistical relationship between different flow aggregates over time. By analyzing these coefficients, the system determines multi-hop network dependencies, revealing indirect connections and interactions that span multiple network hops. This approach enhances network monitoring, troubleshooting, and optimization by providing a more comprehensive understanding of traffic patterns and dependencies. The technique is particularly useful in large-scale networks where direct connections are insufficient to explain traffic behavior.
15. The method of claim 14 , wherein the calculating correlation coefficients uses convolution operations, wherein the second workflow further includes smoothing the cross-correlation coefficients, and wherein the determining the multi-hop network dependencies includes determining whether a peak exists in the cross-correlation coefficients.
This invention relates to analyzing network dependencies in multi-hop network systems, particularly for identifying relationships between different network components. The method involves processing time-series data from network nodes to detect dependencies that span multiple hops, addressing challenges in traditional network monitoring where direct dependencies may be obscured by intermediate nodes. The method begins by collecting time-series data from network nodes, which may include metrics such as latency, throughput, or error rates. A first workflow computes correlation coefficients between pairs of nodes using convolution operations, which efficiently capture temporal relationships in the data. A second workflow then smooths these cross-correlation coefficients to reduce noise and improve accuracy. The method further determines multi-hop network dependencies by analyzing the smoothed cross-correlation coefficients for peaks, where a peak indicates a significant dependency between nodes. This approach helps identify indirect dependencies that may not be apparent through direct measurements alone. By leveraging convolution operations and smoothing techniques, the method enhances the detection of complex network relationships, enabling better troubleshooting and performance optimization in multi-hop networks. The invention is particularly useful in large-scale or dynamic network environments where traditional monitoring tools may fail to capture indirect dependencies.
16. The method of claim 1 , wherein the outputting results of the identifying the one-hop network behavior includes rendering a heat map of dissimilarity scores.
This invention relates to network behavior analysis, specifically identifying and visualizing anomalous or unusual network activity. The method detects one-hop network behavior, which refers to direct interactions between a device and its immediate network neighbors, to uncover potential security threats or performance issues. The core technique involves analyzing network traffic patterns to compute dissimilarity scores, which quantify how different a device's behavior is from expected or baseline activity. These scores help identify deviations that may indicate malicious activity, misconfigurations, or other anomalies. A key aspect of the invention is the visualization of these dissimilarity scores using a heat map. The heat map provides an intuitive graphical representation, where color gradients or intensity levels correspond to the magnitude of dissimilarity. This allows network administrators to quickly identify areas of concern by observing regions with high dissimilarity scores. The heat map can be overlaid on a network topology map or displayed alongside other network metrics to enhance situational awareness. The method may also include additional steps such as filtering, clustering, or thresholding the scores to refine the analysis and reduce false positives. By combining automated detection with visual analytics, the invention improves the efficiency and accuracy of network monitoring and incident response.
17. The method of claim 1 , wherein the network flow information includes an n-tuple per network flow, the network flow being an aggregation of packets that have common protocol attributes, and wherein the network flow information is received from multiple network probes situated in a network.
This invention relates to network monitoring and analysis, specifically the collection and processing of network flow information to identify and analyze network traffic patterns. The problem addressed is the need for accurate and comprehensive network flow data to support network management, security monitoring, and performance optimization. Traditional methods often rely on single-point data collection, which can miss critical traffic patterns or fail to provide a holistic view of network activity. The invention involves a method for gathering network flow information from multiple network probes distributed across a network. Each network flow is defined as an aggregation of packets sharing common protocol attributes, such as source and destination IP addresses, port numbers, and protocol types. The network flow information is structured as an n-tuple, which includes these key attributes, allowing for detailed traffic analysis. By collecting data from multiple probes, the method ensures a more complete and accurate representation of network traffic, enabling better detection of anomalies, performance bottlenecks, and security threats. The distributed probe approach also improves scalability and redundancy, reducing the risk of data loss or incomplete monitoring. This method is particularly useful in large, complex networks where centralized monitoring may be insufficient.
18. The method of claim 1 , further comprising: repeating the receiving network flow information, the identifying the one-hop network behavior, the identifying the multi-hop network dependencies, and the outputting, so as to update an assessment of the one-hop network behavior and the multi-hop network dependencies on a near real-time basis.
This invention relates to network monitoring and analysis, specifically for dynamically assessing network behavior and dependencies in near real-time. The problem addressed is the need for continuous, up-to-date insights into network performance, particularly in complex multi-hop environments where dependencies between network segments can impact overall functionality. The method involves receiving network flow information, which includes data about traffic patterns, latency, and other performance metrics across the network. This information is used to identify one-hop network behavior, which refers to the performance and interactions of directly connected network nodes. Additionally, the method identifies multi-hop network dependencies, which are indirect relationships between nodes that may affect performance across multiple network segments. By analyzing both one-hop behavior and multi-hop dependencies, the method generates an assessment of the network's current state. This assessment is then outputted, providing actionable insights for network administrators. The key innovation is the ability to repeat this process continuously, ensuring that the assessment is updated in near real-time. This allows for proactive detection of issues, optimization of performance, and rapid response to changes in network conditions. The method is particularly useful in large, dynamic networks where traditional monitoring techniques may fail to capture real-time dependencies and behavior.
19. One or more non-transitory computer-readable media storing computer-executable instructions for causing a computer system, when programmed thereby, to perform operations comprising: receiving network flow information; in a first workflow, identifying one-hop network behavior of at least some of a set of network assets based on a first evaluation of the network flow information, wherein each network asset of the set of network assets is a network node or service, and wherein, for a given network asset among the set of network assets, the one-hop network behavior indicates patterns of communication to and/or from the given network asset individually; in a second workflow, identifying multi-hop network dependencies between at least some of the set of network assets based on a second evaluation of the network flow information wherein the multi-hop network dependencies indicate patterns of communication between combinations of network assets among the set of network assets; and outputting results of the identifying the one-hop network behavior and/or results of the identifying the multi-hop network dependencies.
This invention relates to network monitoring and analysis, specifically for identifying communication patterns and dependencies among network assets. The system analyzes network flow information to detect both direct (one-hop) and indirect (multi-hop) interactions between network nodes or services. One-hop behavior refers to individual communication patterns involving a single network asset, such as its connections to other assets. Multi-hop dependencies reveal indirect relationships, showing how multiple assets interact across the network. The system processes network flow data through two distinct workflows: the first workflow isolates one-hop behaviors by evaluating direct communication patterns for each asset, while the second workflow maps multi-hop dependencies by analyzing indirect communication chains between assets. The results, which may include visualizations or reports, help administrators understand network topology, detect anomalies, or optimize performance. The invention improves network visibility by correlating direct and indirect interactions, enabling better security and operational insights.
20. The one or more non-transitory computer-readable media of claim 19 , wherein the operations further comprise, as part of the first workflow: pre-processing the network flow information to produce records of network flow information; for each of the records, mapping the record to a nested set of tags; using association rule learning to extract frequent item sets from the nested sets of tags for the records, wherein the association rule learning is machine learning that identifies frequently-occurring sets of tags; determining the one-hop network behavior based on the frequent item sets.
This invention relates to network traffic analysis using machine learning to identify patterns in network flow data. The system processes network flow information to detect anomalous or suspicious behavior by analyzing the relationships between different network activities. The core challenge addressed is the difficulty in identifying complex, multi-step network behaviors that may indicate security threats or operational issues. The system pre-processes raw network flow data into structured records, each representing a segment of network activity. Each record is then mapped to a nested set of tags, which categorize different aspects of the network flow, such as source/destination addresses, protocols, or payload characteristics. Association rule learning, a machine learning technique, is applied to these tagged records to identify frequent item sets—groups of tags that commonly appear together. These frequent item sets represent typical network behavior patterns. By analyzing these patterns, the system determines one-hop network behavior, which refers to the immediate, direct interactions between network entities. This approach helps distinguish normal traffic from potentially malicious or unusual activity by leveraging statistical relationships between tagged network events. The method improves threat detection by uncovering hidden correlations in network data that traditional rule-based systems may miss.
21. The one or more non-transitory computer-readable media of claim 19 , wherein the operations further comprise, as part of the second workflow: pre-processing the network flow information to produce input vectors; using deep learning to extract patterns in the input vectors, wherein the deep learning is machine learning that models high-level abstractions in the input vectors; and determining the multi-hop network dependencies based on the patterns.
This invention relates to network analysis using machine learning, specifically for identifying multi-hop network dependencies in network flow information. The problem addressed is the difficulty in detecting complex, indirect relationships between network nodes across multiple hops, which is critical for network optimization, security, and troubleshooting. The system processes network flow data to extract meaningful patterns and dependencies. First, the network flow information is pre-processed to generate input vectors, which are structured representations of the raw data. These vectors are then analyzed using deep learning techniques, which are a subset of machine learning designed to model high-level abstractions in the data. The deep learning model identifies significant patterns within the input vectors, which are used to determine multi-hop network dependencies. These dependencies represent indirect relationships between network nodes that are not immediately apparent in the raw flow data. The approach leverages the ability of deep learning to uncover complex, non-linear relationships in large datasets, making it particularly effective for analyzing network traffic patterns that span multiple hops. This enables more accurate network mapping, improved performance optimization, and enhanced security monitoring by identifying hidden connections that traditional methods might miss. The system is designed to operate on non-transitory computer-readable media, ensuring that the processing and analysis are performed efficiently and reliably.
22. The one or more non-transitory computer-readable media of claim 19 , wherein the operations further comprise, as part of the second workflow: pre-processing the network flow information to produce time series of information for flow aggregates; calculating cross-correlation coefficients between the time series; and determining the multi-hop network dependencies based on the cross-correlation coefficients.
This invention relates to network monitoring and analysis, specifically for identifying multi-hop network dependencies in communication networks. The problem addressed is the difficulty in detecting indirect relationships between network flows that span multiple hops, which is crucial for network performance optimization, anomaly detection, and troubleshooting. The invention involves a system that processes network flow information to extract time-series data for flow aggregates, which are groups of related network flows. By analyzing these time series, the system calculates cross-correlation coefficients to measure the statistical relationship between different flow aggregates over time. These coefficients help identify multi-hop dependencies, where changes in one part of the network indirectly influence another part through intermediate hops. The system then uses these dependencies to improve network management, such as optimizing traffic routing, detecting anomalies, or predicting performance issues. The method includes pre-processing raw network flow data to generate time-series representations, which involve aggregating flow metrics like packet counts, latency, or throughput over time. Cross-correlation analysis is then applied to these time series to quantify the degree of synchronization or lag between different flow aggregates. High cross-correlation values indicate strong dependencies, revealing how network performance in one area affects another, even if they are not directly connected. This approach enables more accurate network modeling and proactive management.
23. The one or more non-transitory computer-readable media of claim 19 , wherein the outputting results of the identifying the one-hop network behavior includes rendering a heat map of dissimilarity scores.
A system and method for analyzing network behavior involves identifying one-hop network behavior patterns, which are direct connections or interactions between network entities such as devices, users, or nodes. The system processes network data to detect these patterns and generates dissimilarity scores, which quantify how different the observed behavior is from expected or baseline behavior. These scores help identify anomalies, potential security threats, or deviations from normal network operations. The system then outputs the results of this analysis, including a visual representation in the form of a heat map. The heat map displays the dissimilarity scores, allowing users to quickly identify areas of high or low dissimilarity, which may indicate unusual or suspicious activity. This visualization aids in network monitoring, threat detection, and operational efficiency by providing an intuitive way to assess network behavior across different entities or time periods. The system may also include additional features such as filtering, thresholding, or alerting based on the dissimilarity scores to further enhance its utility in network security and management.
24. The one or more non-transitory computer-readable media of claim 19 , wherein the operations further comprise: repeating the receiving network flow information, the identifying the one-hop network behavior, the identifying the multi-hop network dependencies, and the outputting, so as to update an assessment of the one-hop network behavior and the multi-hop network dependencies on a near real-time basis.
This invention relates to network monitoring and analysis, specifically for dynamically assessing network behavior and dependencies in near real-time. The problem addressed is the need for continuous, up-to-date insights into network performance, particularly in complex multi-hop environments where dependencies between network segments can impact overall behavior. The invention involves a system that receives network flow information, which includes data about traffic patterns, latency, and other performance metrics across network nodes. It then identifies one-hop network behavior, which refers to the performance and characteristics of direct connections between adjacent nodes. Additionally, the system identifies multi-hop network dependencies, analyzing how performance in one segment of the network affects downstream or upstream segments. The system outputs an assessment of these behaviors and dependencies, providing actionable insights for network optimization. A key feature is the ability to repeat this process continuously, updating the assessment in near real-time. This ensures that the system adapts to changing network conditions, such as traffic spikes, node failures, or configuration changes, without requiring manual intervention. The continuous monitoring and analysis allow for proactive network management, reducing downtime and improving overall efficiency. The system is particularly useful in large-scale or dynamic networks where manual monitoring is impractical.
25. A computer system comprising a processing unit and memory, wherein the computer system implements a network analysis tool comprising: an input module configured to receive network flow information; a pre-processor configured to pre-process the network flow information, producing records of network flow information; and a pattern extractor configured to: for each of the records, map the record to a nested set of tags; use association rule learning to extract frequent item sets from the nested sets of tags for the records, wherein the association rule learning is machine learning that identifies frequently-occurring sets of tags; and determine one-hop network behavior of at least some of a set of network assets based on the frequent item sets, wherein each network asset of the set of network assets is a network node or service, and wherein, for a given network asset among the set of network assets, the one-hop network behavior indicates patterns of communication to and/or from the given network asset individually.
This invention relates to network analysis tools for identifying communication patterns in computer networks. The system addresses the challenge of understanding how network assets, such as nodes or services, interact with other assets by analyzing network flow data to detect recurring communication behaviors. The computer system includes a processing unit and memory, implementing a network analysis tool with three key components: an input module, a pre-processor, and a pattern extractor. The input module receives network flow information, which the pre-processor processes into structured records. The pattern extractor then maps each record to a nested set of tags, representing attributes of the network flow. Using association rule learning, a machine learning technique, the extractor identifies frequent item sets—commonly co-occurring tags—within these nested sets. These frequent item sets are used to determine the one-hop network behavior of individual network assets, revealing patterns of communication to and from each asset. The analysis focuses on direct interactions, providing insights into how assets communicate without requiring multi-hop path reconstruction. This approach enables efficient detection of anomalous or suspicious behavior by highlighting deviations from typical communication patterns.
26. The computer system of claim 25 , wherein the pre-processor is configured to pre-process the network flow information by performing operations that include: selectively converting unidirectional flow information, in the network flow information, to bidirectional flow information; windowing the network flow information using a time interval; and/or annotating the records with details about the network flow information.
This invention relates to a computer system for analyzing network flow information, addressing challenges in processing and interpreting raw network traffic data. The system includes a pre-processor that enhances network flow data by performing several key operations. First, it selectively converts unidirectional flow information into bidirectional flow information, enabling more comprehensive analysis of traffic patterns. Second, it applies time-based windowing to the network flow data, segmenting it into discrete time intervals for better temporal analysis. Third, it annotates the records with additional details about the network flow, such as metadata or contextual information, to enrich the dataset. These preprocessing steps improve the accuracy and usability of network flow analysis, supporting applications like traffic monitoring, security analysis, and performance optimization. The system ensures that raw network flow data is transformed into a structured, enriched format suitable for further processing or machine learning tasks. By integrating these preprocessing functions, the system provides a more robust and flexible framework for network traffic analysis.
27. The computer system of claim 25 , wherein, to map the record to the nested set of tags, the pattern extractor is configured to apply a function to attributes of the record to determine the nested set of tags for the record.
This invention relates to a computer system for organizing and categorizing data records using nested tag structures. The system addresses the challenge of efficiently mapping unstructured or semi-structured data records to hierarchical tag sets, enabling better data retrieval, analysis, and management. The system includes a pattern extractor that processes attributes of a data record to determine an appropriate nested set of tags for categorization. The pattern extractor applies a function to the record's attributes, which may include metadata, content features, or other identifying characteristics, to derive the hierarchical tag structure. This function could involve rule-based matching, machine learning models, or other computational techniques to analyze the record's attributes and assign the most relevant nested tags. The nested tag structure allows for multi-level categorization, improving data organization and enabling more precise queries. The system may also include additional components for storing, retrieving, or analyzing the tagged records, ensuring efficient data management. By automating the tagging process, the invention enhances scalability and reduces manual effort in data classification tasks.
28. The computer system of claim 25 , wherein, to use the association rule learning, the pattern extractor is configured to perform operations that include, for a given item set in the nested sets of tags for the records: determining support of the given item set; and comparing the support of the given item set to a threshold.
This invention relates to a computer system for analyzing nested sets of tags associated with records, particularly in the context of association rule learning. The system addresses the challenge of efficiently extracting meaningful patterns from hierarchical or nested tag structures, which are common in data management, recommendation systems, and knowledge graphs. The system includes a pattern extractor that applies association rule learning techniques to identify significant relationships within the nested tag sets. For a given item set within the nested tags, the pattern extractor calculates the support of the item set, which measures how frequently the item set appears across the records. The support is then compared to a predefined threshold to determine whether the item set is statistically significant. This process helps filter out irrelevant or weak associations, ensuring that only meaningful patterns are retained. The system may also include additional components, such as a tag processor that organizes the nested tags into a structured format and a rule generator that derives actionable rules from the extracted patterns. The overall goal is to improve the accuracy and efficiency of pattern discovery in complex, hierarchical data structures.
29. The computer system of claim 25 , wherein, to determine the one-hop network behavior, the pattern extractor is configured to perform operations that include, identifying, among the set of network assets, subsets of network assets having similar network behavior based on a measure of similarity or dissimilarity between pairs of the frequent item sets.
This invention relates to computer systems for analyzing network behavior, specifically focusing on identifying patterns in network traffic to detect anomalies or security threats. The system addresses the challenge of efficiently processing large volumes of network data to distinguish normal behavior from potentially malicious activity. The system includes a pattern extractor that examines network assets, such as devices or nodes, to determine their behavior. The pattern extractor identifies subsets of network assets that exhibit similar behavior by analyzing frequent item sets—collections of network events or features that occur together frequently. The system measures similarity or dissimilarity between these item sets to group assets with comparable behavior. This grouping helps in detecting deviations from expected patterns, which may indicate security breaches or performance issues. The system may also include a network behavior analyzer that uses the identified patterns to assess network health, predict potential risks, or optimize network performance. By clustering assets with similar behavior, the system can reduce false positives in threat detection and improve the accuracy of network monitoring. The approach leverages statistical and machine learning techniques to process network data efficiently, making it suitable for large-scale deployments.
30. The computer system of claim 25 , wherein the network flow information includes an n-tuple per network flow, the network flow being an aggregation of packets that have common protocol attributes, and wherein the in the network flow information is received from multiple network probes situated in a network.
This invention relates to a computer system for analyzing network traffic by processing network flow information. The system addresses the challenge of efficiently monitoring and managing network traffic in large-scale networks by aggregating and analyzing packet data from multiple sources. The network flow information includes an n-tuple per network flow, where each network flow represents a group of packets sharing common protocol attributes such as source and destination IP addresses, port numbers, and protocol type. The system collects this flow data from multiple network probes distributed across the network, enabling comprehensive visibility into traffic patterns. By processing these aggregated flows, the system can detect anomalies, optimize bandwidth usage, and improve network security. The use of n-tuples allows for efficient classification and analysis of traffic, while the distributed probe architecture ensures scalability and reliability. This approach enhances network performance monitoring and troubleshooting capabilities in complex environments.
Unknown
April 28, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.